GDPR - one year later

The GDPR Focus on Digital Business Big and Small

One year
ago, GDPR loomed on the horizon. No one seemed certain how it would affect the
EU, nor the EU-related foreign businesses. What seemed to preoccupy everyone
the most was whether or not they would be ready to implement the regulation in
time.

Deadlines, Scandals and Consequences

For many not
directly employed by the soon to be affected companies, the lead up to May
25th, 2018 was marked by an increase in e-mail traffic. Various businesses and
service providers were scrambling to ask their customers and users to update
their data and provide consent. They were also spamming a lot of inboxes in the
process.

Source: Time

In a speech made to the European Parliament in early 2018, Mark Zuckerbergstated that Facebook would be ready to implement GDPR by the May 25 deadline. This came on the heels of the Cambridge Analytica Scandal and Facebook's £500,000 fine.

CA was
famously involved in the 2016 US elections but also used UK and EU citizens'
personal data, acquired from Facebook, for Vote Leave and BeLeave campaigns
during the Brexit Referendum.The data
breach did, however, have a positive effect.

In 2017, British consumers seemed
overwhelmingly uninterested in exercising their upcoming privacy protections.
However, post-CA an SAS poll showed that 72% of polled people had already
changed their data permissions ahead of May 25th and were planning on sharing
less data in the future.

SUBJECT TO INTERPRETATION

GDPR's success with Google, however, has been less than impressive so far. Google interpreted GDPR very strictly without notifying the publishers which used it as a platform, which seriously affected the entire digital ads sphere.

Also, the sheer number of active users provides it with a significant advantage over its competitors and allows it to adapt its GDPR strategy without significant repercussions.

Of note is the effect GDPR has had on digital services, including mobile banking, streaming services, and tech companies, all of which proved extremely agile when it came to GDPR compliance. It is because all of the mentioned services recognized the opportunities to build customer loyalty, which is along with trust, one of the most important things.

US Refuses to Play

Meanwhile, US companies
that processed EU citizens’ data decided to deal with GDPR by simply
prohibiting access to their services to European users.

Some services then
attempted to offer premium subscription in return for no ads and no data
tracking or a free subscription but with consent to be tracked. UK's ICO had
something to say about this practice, reprimanding the Washington Post. However, the reprimand was not followed by any sterner
measures and, as such, probably will not dissuade further instances of such
practice.

Source: Stanford

Apple's CEO Tim Cook has recently voiced his support for GDPR and said that the rest of the world should implement similar regulation. While Cook didn't specify the catalysts behind the statements, he was nodding towards recent events such as the Cambridge Analytica Scandal. Now he has been joined by Cisco in calling for data laws to be embraced by the US as they have been in Europe.

At a privacy conference in Brussels, he stated that "Platforms and algorithms that promised to improve our lives can actually magnify our worst human tendencies". (CNBC)

All About the Fines

What about the fines? The
summer of 2018 saw a Portuguese hospital fined €400,000 for GDPR violations:
granting social workers access to patients' clinical data and providing
doctor-level access to over 900 users while having less than 300 physicians on
staff. The case is notable not only for being one of the first publicly
announced fines but also for the figure.

Since the maximum fine under GDPR is €20 million, it seems regulators were willing to make a measured response. This can be compared to Uber, which received a £385,000 fine for failing to protect customer data during a cyber attack.

While the attack predated GDPR and the fine was made under the Data Protection Act, it is inevitable that a full GDPR-level fine will occur in the near future, perhaps as early as 2019. One thing is for sure: no business or service, no matter how big or small, whether government-owned, publicly traded or a private enterprise, is beyond the regulation enforcers' scrutiny and can be subject to steep fines. Which, after all, is one of GDPR's main aims.